Factory AI Droid
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but it hands a third-party coding agent broad power to change and deploy code, add extensions, and retain org-wide context without enough provenance or guardrails.
Before installing, verify the Factory droid binary and any plugins/MCP servers, use least-privileged credentials, avoid --force unless you explicitly asked for it, and require review before commits, PRs, or deployments. Also check Factory's session-memory and code-indexing controls for private repositories.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make code changes or trigger deployment workflows in ways that are hard to review or reverse if used too broadly.
These commands can mutate repositories, create release/deployment effects, and bypass confirmation; the skill does not define approval or containment requirements before those actions.
droid exec "commit my changes with a good message" droid exec "deploy to fly.io" droid exec --force "fix lint errors" # Auto-apply without confirmation
Use this only with explicit user approval for commits, PRs, deployments, and any --force mode; prefer dry-runs, branches, and manual review before applying changes.
Untrusted or misconfigured CLI/plugins/MCP servers could gain access to code, credentials, or deployment workflows.
The skill depends on a preinstalled external binary and can add MCP servers/plugins, but the artifacts provide no source, verification, permissions model, or install provenance.
Already installed at: `/Users/mitchellbernstein/.local/bin/droid` ... droid mcp add server-name # Add MCP server droid plugin add name # Add plugin
Verify the droid binary source and version, install only trusted plugins/MCP servers, and review extension permissions before use.
The droid CLI may act with the permissions of the logged-in Factory account or API key.
Factory authentication is expected for this integration, but it gives the CLI account-level authority; the artifacts do not show hardcoded keys or credential leakage.
droid login # or set FACTORY_API_KEY env var export FACTORY_API_KEY=your-api-key
Use least-privileged credentials where possible and avoid exposing API keys in shared shells, logs, or project files.
Private code or prior-session instructions could be reused unexpectedly or influence future tasks.
The skill advertises broad organizational code context and persistent session memory without explaining path scope, retention, reuse across tasks, or controls against stale/poisoned context.
- Droid has deep codebase understanding across your org - Session-based memory for context continuity
Confirm what Factory stores, how to clear sessions, and whether org-wide code access can be limited to the repositories needed for the current task.
Added MCP servers may see prompts, code context, or tool calls depending on their permissions.
MCP support is disclosed and purpose-aligned, but the skill does not describe server identity, trust boundaries, or what data/tools added servers can access.
MCP servers for extended capabilities ... droid mcp add server-name # Add MCP server
Only connect trusted MCP servers and review their access scope before letting the agent use them.